Discovering the SAMLv2 IDP Discovery Service and the Discovery LP

All web services are defined by a Web Services Description Language (WSDL) file that describes the type of data the service contains, the available ways said data can be exchanged, the operations that can be performed using the data, a protocol that can be used to perform the operations, and a URL (or endpoint) for access to the service. Additionally, the WSDL file itself is assigned a unique resource identifier (URI) that is used to locate it. The file is then published and the URI is placed in a Universal Description, Discovery and Integration (UDDI) repository so it can be found by potential users. Thus, the web service can now be discovered. Discovery of a web service is the act of locating the WSDL file for it. Typically, there are one or more web services on a network so, a discovery service is required to keep track of the WSDL locations.

The SAML v2 IDP Discovery Service is an implementation of the Identity Provider Discovery Profile as described in the Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 specification. In deployments having more than one identity provider, service providers need to determine which identity provider(s) a principal uses with the Web Browser SSO profile. To allow for this, the SAML v2 IDP Discovery Service relies on a cookie written in a domain that is common to all identity providers and service providers in a circle of trust. This predetermined domain is known as the common domain, and the cookie containing the list of identity providers to chose from is known as the common domain cookie.

The Reader and Writer URLs, used by the SAML v2 IDP Discovery Service, are defined when configuring the circle of trust. When a user requests access from a service provider, and an entity identifier for an identity provider is not received in the request, the service provider redirects the request to the common domain's SAML v2 IDP Discovery Service Reader URL to retrieve the identity provider's entity identifier. If more then one identity provider entity identifier is returned, the last entity identifier in the list is the one to which the request is redirected. Once received, the identity provider redirects to the Discovery Service Writer URL to set the common domain cookie using the value defined in the installation configuration properties file. Here is a procedure for setting up and testing the Identity Provider Discovery Service.

Download opensso.zip file to a location on your server machine.

Unzip opensso.zip into /opensso.

Change to the deployable-war sub-directory.

Follow the instructions in the README to build a specialized WAR for the identity provider discovery service.

Create a new directory as the staging area for the identity provider discovery service WAR (for example, idpwar), and extract the contents of opensso.war into it.

Provide values for the identity provider Discovery Service attributes on the configuration page.

Debug directory

Debug Level

Cookie Type - by default, PERSISTENT SESSION

Cookie Domain

Secure Cookie

Encode Cookie

On the service provider host machine, use the console to create a Circle of Trust with the identity provider discovery service URL used as the prefix for the value of the Reader and Writer URL attributes; for example, the value of the SAML2 Writer Service URL would be http://idp-discovery-server-machine:port/idpdiscovery/saml2writer and the value of the SAML2 Reader Service URL would be http://idp-discovery-server-machine:port/idpdiscovery/saml2reader

Now, on the identity provider host machine, use the console to create a Circle of Trust with the value of the prefix attribute also set to the identity provider discovery service URL, http://idp-discovery-server-machine:port/idpdiscovery.

Load the service provider metadata onto the identity provider machine.

Change the value of host in the identity provider metadata from 0 or remote.

Load the identity provider metadata onto the service provider machine.After this configuration, the values of the Writer URL and Reader URL in each circle of trust are the URL of the Identity Provider Discovery Service.

Perform SAMLv2 test cases for service provider-initiated and identity provider-initiated single sign-on and single logout.
Each time you perform these operations from the service provider side, the Discovery Service logs will show the redirection to the identity provider. Here is an example log: